review-pr: Avoid OIDC for direct API key reviews#40
Open
vvoland wants to merge 2 commits into
Open
Conversation
Direct API-key callers do not need AWS-backed credential setup, but the reusable workflow unconditionally requested id-token: write and ran setup-credentials. Organizations that disable OIDC for reusable workflows were blocked at the permission-validation step. Drop the top-level and per-job permissions blocks so the workflow inherits from the caller. When a model key secret is supplied, skip the OIDC credential fetch and authorize using the caller's GITHUB_TOKEN by checking repository write permission instead of Docker org membership. setup-credentials/action.yml gains a fetch-credentials input (default true). When false, DOCKER_AGENT_ACTION_ROOT is exported and Node.js is set up, but the OIDC exchange is skipped. The review job always runs setup-credentials (for DOCKER_AGENT_ACTION_ROOT and Node) and passes fetch-credentials dynamically, so direct-key callers pay no OIDC cost. The reply-to-feedback and reply-to-mention jobs skip setup-credentials entirely when a direct key is present — they use bash gh-api calls and uses: actions, not dist/ scripts, so neither DOCKER_AGENT_ACTION_ROOT nor an explicit Node install is needed. src/check-org-membership adds checkRepositoryWritePermission (write/maintain/admin collaborator check) and an isAuthorizedUser helper that dispatches to org membership (when ORG_MEMBERSHIP_TOKEN is set) or the repo permission check (when it is not). The CLI entry point now accepts GITHUB_TOKEN as a fallback for GITHUB_APP_TOKEN. The mention-reply handler and the reply-to-feedback auth step receive the same treatment: org-membership-token is now optional; when absent, authorization falls back to checkRepositoryWritePermission. The HAS_DIRECT_API_KEY guard that silently dis Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
Signed-off-by: Paweł Gronowski <pawel.gronowski@docker.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Related Issues
Summary
Direct API-key callers do not need AWS-backed credential setup, but the
reusable workflow unconditionally requested id-token: write and ran
setup-credentials. Organizations that disable OIDC for reusable
workflows were blocked at the permission-validation step.
Drop the top-level and per-job permissions blocks so the workflow
inherits from the caller. When a model key secret is supplied, skip the
OIDC credential fetch and authorize using the caller's GITHUB_TOKEN by
checking repository write permission instead of Docker org membership.
setup-credentials/action.yml gains a fetch-credentials input (default
true). When false, DOCKER_AGENT_ACTION_ROOT is exported and Node.js is
set up, but the OIDC exchange is skipped. The review job always runs
setup-credentials (for DOCKER_AGENT_ACTION_ROOT and Node) and passes
fetch-credentials dynamically, so direct-key callers pay no OIDC cost.
The reply-to-feedback and reply-to-mention jobs skip setup-credentials
entirely when a direct key is present — they use bash gh-api calls and
uses: actions, not dist/ scripts, so neither DOCKER_AGENT_ACTION_ROOT
nor an explicit Node install is needed.
src/check-org-membership adds checkRepositoryWritePermission
(write/maintain/admin collaborator check) and an isAuthorizedUser helper
that dispatches to org membership (when ORG_MEMBERSHIP_TOKEN is set) or
the repo permission check (when it is not). The CLI entry point now
accepts GITHUB_TOKEN as a fallback for GITHUB_APP_TOKEN.
The mention-reply handler and the reply-to-feedback auth step receive
the same treatment: org-membership-token is now optional; when absent,
authorization falls back to checkRepositoryWritePermission. The
HAS_DIRECT_API_KEY guard that silently dis